1. Field of the Invention
The present invention generally relates to the transfer of data using cut and paste operations in a computer windowing system and, more particularly, to a secure means for untrusted window system client programs to transfer data between security domains at the user's instigation under the user's control with the transfer mediated by a special client program.
2. Description of the Prior Art
Windowing systems are commonly used in computer systems to provide the user with a graphic user interface (GUI) to manage multitasked computer programs. A separate window is typically opened for each computer program currently running on the computer. The windowing systems provide the user with a number of tools to facilitate, among other things, the transfer of data from one document generated by one program to another document prepared by a different and unrelated program. On of these tools is the so-called "cut and paste" operation where data is bracketed in one window and moved to and inserted in another window. These operations are typically implemented using a cursor controlled by a mouse. One windowing environment currently in use is "The X Window System" (trademark of Massachusetts Institute of Technology) which runs on the Unix operating system developed by AT&T Bell Laboratories. (Unix is a trademark of Novell.)
Security labeling is one of the basic requirements of the Defense Intelligence Agency's (DIA) Requirements for System High and Compartmented Mode Workstations (Referred to as the CMW Requirements). These requirements in particular deal with secure multi-level windowing systems for workstations, where several windows with potentially different security levels can be open at any given time. The security levels for these windows are controlled with security labels, that is, Mandatory Access Control (MAC) labels that indicate the overall sensitivity level associated with a subject or object, and a finer granularity of labels called information labels that label aggregates of data. The sensitivity or MAC levels are enforced with the "no read up" (no reading of objects at higher sensitivity levels) and "no write down" (no writing to objects at lower sensitivity levels) rules for all users except privileged users. Because of this "no read up" rule, ordinary users have a tendency to work at as high of a sensitivity level as possible, so that they can see everything. But because of the "no write down" rule, all objects, no matter how trivial their contents, must be labeled at that same high sensitivity level. In order to prevent this over classifying of data, CMW provides for a system of information labels that give some indication of the "true" sensitivity of the data. Information labels are both user controlled and system controlled; users set them originally and may change them as needed while the system updates them through propagation or floating; that is, as a process reads sensitive data, its own (process) information label floats to the maximum (least upper bound) of the information labels of all the data it has read, and when it subsequently writes to other objects, their information labels, assuming they are allowed to receive the data, also float in a similar fashion.
Performing interwindow movements of data when the sensitivity and information labels are at different security levels is one of the basic features which makes CMW useful. However, all interwindow moves must conform to the "no read up, no write down" rules indicated above. Specifically, the regrading of labels through cut and paste operations can only be performed as follows: all privileged and ordinary users are allowed to upgrade MAC labels, only privileged users are allowed to downgrade MAC labels, and all privileged and ordinary users are allowed to upgrade or downgrade information labels. CMW requires that this be done in an interactive fashion, so that the user is cognizant of any label changes.
The X Window System consists of an X Server and a number of application programs which perform various functions. The X Server communicates with these applications through the sending of events which are generated as a result of user inputs. In the X Window System, the X Server merely mediates cut and paste operations which are initiated and controlled by normally untrusted client programs such as Xterm. Another application which is directly involved with cutting and pasting operations is the Window Manager. The Window Manager is responsible for most of the visual manipulations of windows.
SecureWare has a CMW on the market using the X Window System as a base, but it uses the Window Manager, not a separate client, for cutting and pasting operations. With SecureWare's implementation, only certain data types can be handled, and clients may surreptitiously change data after approval, or receive it before approval. Other than their own documents, there are no papers that have been published detailing their work and, in particular, nothing has been published on how to handle regrading cut and paste operations. Smith et al., in "Secure MultiLevel Windowing in a B1 Certifiable Secure UNIX Operating System", Winter 1989 USENIX Conference Proceedings, describe secure cut and paste operations on windows, but this work is not based on the X Window System and is solely concerned with MAC compliance. There is no concept of information labeling. Carson et al., in "From B2 to CMW: Building a Compartmented Mode Workstation on a Secure Xenix Base", Proceedings of the AIAA/ASIS/IEEE Third Aerospace Computer Security Conference, 1987, describes a CMW implementation, but this implementation uses XENIX as its operating system, Viewnix as its base windowing system, and the cutting and pasting operations use a completely different mechanism, entirely under central control. (XENIX is a trademark of Microsoft Corporation, and Viewnix is a trademark of Five Paces Software Inc.)